From fdb5ea2d56c800fdefbec49f602f78158e388f64 Mon Sep 17 00:00:00 2001 From: David James Date: Fri, 29 Apr 2011 17:21:58 -0700 Subject: [PATCH] Check for references to ${ROOT} in install_qa_checks. When ROOT != /, binaries that reference ROOT will load their dependencies from ROOT first rather than from the system-configured path. This is a problem because the ROOT will be / on the target system. Besides the above, this patch also fixes incorrect parsing of scanelf output, where we would treat the RPATHs returned by scanelf as the names of binaries. TEST=When "stricter" FEATURE is enabled, verify that emerge fails when an ebuild references broken rpaths referencing ROOT. When "stricter" FEATURE is not enabled, verify that such references are automatically fixed. Also verify that ebuilds with non-broken RPATHs (e.g. RPATHs referencing $ORIGIN/../lib) are not touched by the change. BUG=chromium-os:14271 Change-Id: I4f29cc4ea9195a1255f080284da1f676e4a2c26b Review URL: http://codereview.chromium.org/6903153 --- bin/misc-functions.sh | 34 ++++++++++++++++++++++++++-------- 1 file changed, 26 insertions(+), 8 deletions(-) diff --git a/bin/misc-functions.sh b/bin/misc-functions.sh index af0cc2760..c3109981d 100755 --- a/bin/misc-functions.sh +++ b/bin/misc-functions.sh @@ -184,16 +184,37 @@ install_qa_check() { unset PORTAGE_QUIET fi - # Make sure we disallow insecure RUNPATH/RPATHs - # Don't want paths that point to the tree where the package was built - # (older, broken libtools would do this). Also check for null paths - # because the loader will search $PWD when it finds null paths. - f=$(scanelf -qyRF '%r %p' "${D}" | grep -E "(${PORTAGE_BUILDDIR}|: |::|^:|^ )") + # Make sure we disallow insecure RUNPATH/RPATHs. + # 1) References to PORTAGE_BUILDDIR are banned because it's a + # security risk. We don't want to load files from a + # temporary directory. + # 2) If ROOT != "/", references to ROOT are banned because + # that directory won't exist on the target system. + # 3) Null paths are banned because the loader will search $PWD when + # it finds null paths. + local forbidden_dirs="${PORTAGE_BUILDDIR}" + if [[ -n "$ROOT" ]] && [[ "$ROOT" != "/" ]]; then + forbidden_dirs="${forbidden_dirs} ${ROOT}" + fi + local dir="" rpath_files=$(scanelf -F '%F:%r' -qBR "${D}") + f="" + for dir in ${forbidden_dirs}; do + for l in $(echo "${rpath_files}" | grep -E ":${dir}|::|: "); do + f+=" ${l%%:*}\n" + if ! has stricter ${FEATURES}; then + vecho "Auto fixing rpaths for ${l%%:*}" + TMPDIR="${dir}" scanelf -BXr "${l%%:*}" -o /dev/null + fi + done + done + # Reject set*id binaries with $ORIGIN in RPATH #260331 x=$( find "${D}" -type f \( -perm -u+s -o -perm -g+s \) -print0 | \ xargs -0 scanelf -qyRF '%r %p' | grep '$ORIGIN' ) + + # Print QA notice. if [[ -n ${f}${x} ]] ; then vecho -ne '\n' eqawarn "QA Notice: The following files contain insecure RUNPATHs" @@ -203,9 +224,6 @@ install_qa_check() { vecho -ne '\n' if [[ -n ${x} ]] || has stricter ${FEATURES} ; then insecure_rpath=1 - else - vecho "Auto fixing rpaths for ${f}" - TMPDIR=${PORTAGE_BUILDDIR} scanelf -BXr ${f} -o /dev/null fi fi -- 2.26.2